You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2021/09/13 11:23:00 UTC
[jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or
later to address CVE-2021-33037
[ https://issues.apache.org/jira/browse/TOMEE-3778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414147#comment-17414147 ]
Richard Zowalla commented on TOMEE-3778:
----------------------------------------
8.0.8 is now available and comes with Tomcat 9.0.52
> Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037
> -------------------------------------------------------------------
>
> Key: TOMEE-3778
> URL: https://issues.apache.org/jira/browse/TOMEE-3778
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Build
> Affects Versions: 8.0.6
> Reporter: Syed Jafri
> Priority: Major
>
> *Description*:
> Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
> *Link*: [https://nvd.nist.gov/vuln/detail/CVE-2021-33037]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)